mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-30 13:58:22 +00:00
Code Issues Releases Wiki Activity

used perltidy to clean up the formatting for the perl scripts in the

Browse Source 
utils package and manually fixed some places where perltidy's
reformatting made it harder to read.  the options used were--

-i=4    # 4-space indentation
-l=0    # unlimited line length (for now)
-pt=2   # slightly tightened parens
-ce     # cuddled elses
-nolq   # don't outdent long quotes
-nsfs   # don't add spaces in front of semi-colons in for ( ) statements
-isbc   # only indent block comments that have whitespace in front of them
-otr    # don't place a break between a comma and an opening brace

the code will be refactored to make it possible to switch to using 
80-column line-breaks without resorting to really nasty formatting 
constructs.
This commit is contained in:
Jesse Michael
2007-03-20 21:58:38 +00:00
parent f29097e401
commit d8ae032328
11 changed files with 5115 additions and 4774 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2309
utils/Reports.pm
View File

File diff suppressed because it is too large Load Diff

277
utils/Severity.pm
View File

@@ -9,7 +9,6 @@
#
# ------------------------------------------------------------------
package Immunix::Severity;
use strict;
use Data::Dumper;
@@ -17,67 +16,77 @@ use Data::Dumper;
my ($debug) = 0;
sub debug {
print @_ if $debug;
print @_ if $debug;
}
sub new {
my $self = {};
$self->{DATABASENAME} = undef;
$self->{CAPABILITIES} = {};
$self->{FILES} = {};
$self->{REGEXPS} = {};
$self->{DEFAULT_RANK} = 10;
bless($self);
shift;
$self->init(@_) if @_;
return $self;
my $self = {};
$self->{DATABASENAME} = undef;
$self->{CAPABILITIES} = {};
$self->{FILES} = {};
$self->{REGEXPS} = {};
$self->{DEFAULT_RANK} = 10;
bless($self);
shift;
$self->init(@_) if @_;
return $self;
}
sub init ($;$) {
my ($self, $resource, $read, $write, $execute, $severity);
$self = shift;
$self->{DATABASENAME} = shift;
$self->{DEFAULT_RANK} = shift if defined $_[0];
open(DATABASE, $self->{DATABASENAME}) or die "Could not open severity db $self->{DATABASENAME}: $!\n";
while (<DATABASE>) {
chomp();
next if m/^\s*#/;
next if m/^\s*$/;
# leading whitespace is fine; maybe it shouldn't be?
if(/^\s*\/(\S+)\s+(\d+)\s+(\d+)\s+(\d+)\s*$/) {
my ($path, $read, $write, $execute) = ($1, $2, $3, $4);
my ($self, $resource, $read, $write, $execute, $severity);
$self = shift;
$self->{DATABASENAME} = shift;
$self->{DEFAULT_RANK} = shift if defined $_[0];
open(DATABASE, $self->{DATABASENAME})
or die "Could not open severity db $self->{DATABASENAME}: $!\n";
while (<DATABASE>) {
chomp();
next if m/^\s*#/;
next if m/^\s*$/;
if(index($path, "*") == -1) {
# leading whitespace is fine; maybe it shouldn't be?
if (/^\s*\/(\S+)\s+(\d+)\s+(\d+)\s+(\d+)\s*$/) {
my ($path, $read, $write, $execute) = ($1, $2, $3, $4);
$self->{FILES}{$path} = { r => $read, w => $write, x => $execute };
if (index($path, "*") == -1) {
} else {
$self->{FILES}{$path} = {
r => $read,
w => $write,
x => $execute
};
my $ptr = $self->{REGEXPS};
my @pieces = split(/\//, $path);
} else {
while(my $piece = shift @pieces) {
if(index($piece, "*") != -1) {
my $path = join("/", $piece, @pieces);
my $regexp = convert_regexp($path);
$ptr->{$regexp}{SD_RANK} = { r => $read, w => $write, x => $execute };
last;
} else {
$ptr->{$piece} = { } unless exists $ptr->{$piece};
$ptr = $ptr->{$piece};
}
my $ptr = $self->{REGEXPS};
my @pieces = split(/\//, $path);
while (my $piece = shift @pieces) {
if (index($piece, "*") != -1) {
my $path = join("/", $piece, @pieces);
my $regexp = convert_regexp($path);
$ptr->{$regexp}{SD_RANK} = {
r => $read,
w => $write,
x => $execute
};
last;
} else {
$ptr->{$piece} = {} unless exists $ptr->{$piece};
$ptr = $ptr->{$piece};
}
}
}
} elsif (m|^\s*CAP|) {
($resource, $severity) = split;
$self->{CAPABILITIES}{$resource} = $severity;
} else {
print "unexpected database line: $_\n";
}
}
} elsif (m|^\s*CAP|) {
($resource, $severity) = split;
$self->{CAPABILITIES}{$resource}=$severity;
} else {
print "unexpected database line: $_\n";
}
}
close(DATABASE);
debug Dumper($self);
return $self;
close(DATABASE);
debug Dumper($self);
return $self;
}
#rank:
@@ -96,110 +105,118 @@ sub init ($;$) {
# otherwise, return the maximum from the database
sub handle_capability ($) {
my ($self, $resource) = @_;
my ($self, $resource) = @_;
my $ret = $self->{CAPABILITIES}{$resource};
if (!defined($ret)) {
return "unexpected capability rank input: $resource\n";
}
return $ret;
my $ret = $self->{CAPABILITIES}{$resource};
if (!defined($ret)) {
return "unexpected capability rank input: $resource\n";
}
return $ret;
}
sub check_subtree {
my ($tree, $mode, $sev, $first, @rest) = @_;
my ($tree, $mode, $sev, $first, @rest) = @_;
# reassemble the remaining path from this directory level
my $path = join("/", $first, @rest);
# reassemble the remaining path from this directory level
my $path = join("/", $first, @rest);
# first check if we have a literal directory match to descend into
if($tree->{$first}) {
$sev = check_subtree($tree->{$first}, $mode, $sev, @rest);
}
# if we didn't get a severity already, check for matching globs
unless($sev) {
# check each glob at this directory level
for my $chunk (grep { index($_, "*") != -1 } keys %{$tree}) {
# does it match the rest of our path?
if($path =~ /^$chunk$/) {
# if we've got a ranking, check if it's higher than current one, if any
if($tree->{$chunk}->{SD_RANK}) {
for my $m (split(//, $mode)) {
if((! defined $sev) || $tree->{$chunk}->{SD_RANK}->{$m} > $sev) {
$sev = $tree->{$chunk}->{SD_RANK}->{$m};
}
}
}
}
# first check if we have a literal directory match to descend into
if ($tree->{$first}) {
$sev = check_subtree($tree->{$first}, $mode, $sev, @rest);
}
}
return $sev;
# if we didn't get a severity already, check for matching globs
unless ($sev) {
# check each glob at this directory level
for my $chunk (grep { index($_, "*") != -1 } keys %{$tree}) {
# does it match the rest of our path?
if ($path =~ /^$chunk$/) {
# if we've got a ranking, check if it's higher than
# current one, if any
if ($tree->{$chunk}->{SD_RANK}) {
for my $m (split(//, $mode)) {
if ((!defined $sev)
|| $tree->{$chunk}->{SD_RANK}->{$m} > $sev)
{
$sev = $tree->{$chunk}->{SD_RANK}->{$m};
}
}
}
}
}
}
return $sev;
}
sub handle_file ($$) {
my ($self, $resource, $mode) = @_;
my ($self, $resource, $mode) = @_;
# strip off the initial / from the path we're checking
$resource = substr($resource, 1);
# strip off the initial / from the path we're checking
$resource = substr($resource, 1);
# break the path into directory-level chunks
my @pieces = split(/\//, $resource);
# break the path into directory-level chunks
my @pieces = split(/\//, $resource);
my $sev;
my $sev;
# if there's a exact match for this path in the db, use that instead of
# checking the globs
if($self->{FILES}{$resource}) {
# if there's a exact match for this path in the db, use that instead of
# checking the globs
if ($self->{FILES}{$resource}) {
# check each piece of the passed mode against the db entry
for my $m (split(//, $mode)) {
if ((!defined $sev) || $self->{FILES}{$resource}{$m} > $sev) {
$sev = $self->{FILES}{$resource}{$m};
}
}
} else {
# descend into the regexp tree looking for matches
$sev = check_subtree($self->{REGEXPS}, $mode, $sev, @pieces);
# check each piece of the passed mode against the db entry
for my $m (split(//, $mode)) {
if((! defined $sev) || $self->{FILES}{$resource}{$m} > $sev) {
$sev = $self->{FILES}{$resource}{$m};
}
}
} else {
# descend into the regexp tree looking for matches
$sev = check_subtree($self->{REGEXPS}, $mode, $sev, @pieces);
}
return (defined $sev) ? $sev : $self->{DEFAULT_RANK};
return (defined $sev) ? $sev : $self->{DEFAULT_RANK};
}
sub rank ($;$) {
my ($self, $resource, $mode) = @_;
if (substr($resource,0,1) eq "/") {
return $self->handle_file($resource, $mode);
} elsif (substr($resource,0,3) eq "CAP") {
return $self->handle_capability($resource);
} else {
return "unexpected rank input: $resource\n";
}
my ($self, $resource, $mode) = @_;
if (substr($resource, 0, 1) eq "/") {
return $self->handle_file($resource, $mode);
} elsif (substr($resource, 0, 3) eq "CAP") {
return $self->handle_capability($resource);
} else {
return "unexpected rank input: $resource\n";
}
}
sub convert_regexp ($) {
my ($input) = shift;
# we need to convert subdomain regexps to perl regexps
my $regexp = $input;
# escape + . [ and ] characters
$regexp =~ s/(\+|\.|\[|\])/\\$1/g;
# convert ** globs to match anything
$regexp =~ s/\*\*/.SDPROF_INTERNAL_GLOB/g;
# convert * globs to match anything at current path level
$regexp =~ s/\*/[^\/]SDPROF_INTERNAL_GLOB/g;
# convert {foo,baz} to (foo|baz)
$regexp =~ y/\{\}\,/\(\)\|/ if $regexp =~ /\{.*\,.*\}/;
# twiddle the escaped * chars back
$regexp =~ s/SDPROF_INTERNAL_GLOB/\*/g;
return $regexp;
my ($input) = shift;
# we need to convert subdomain regexps to perl regexps
my $regexp = $input;
# escape + . [ and ] characters
$regexp =~ s/(\+|\.|\[|\])/\\$1/g;
# convert ** globs to match anything
$regexp =~ s/\*\*/.SDPROF_INTERNAL_GLOB/g;
# convert * globs to match anything at current path level
$regexp =~ s/\*/[^\/]SDPROF_INTERNAL_GLOB/g;
# convert {foo,baz} to (foo|baz)
$regexp =~ y/\{\}\,/\(\)\|/ if $regexp =~ /\{.*\,.*\}/;
# twiddle the escaped * chars back
$regexp =~ s/SDPROF_INTERNAL_GLOB/\*/g;
return $regexp;
}
1; # so the require or use succeeds
1; # so the require or use succeeds

5011
utils/SubDomain.pm
View File

File diff suppressed because it is too large Load Diff

1505
utils/aa-eventd
View File

File diff suppressed because it is too large Load Diff

91
utils/audit
View File

@@ -39,11 +39,11 @@ textdomain("apparmor-utils");
$UI_Mode = "text";
# options variables
my $help = '';
my $help = '';
GetOptions(
'dir|d=s' => \$profiledir,
'help|h' => \$help,
'dir|d=s' => \$profiledir,
'help|h' => \$help,
);
# tell 'em how to use it...
@@ -52,9 +52,9 @@ GetOptions(
# let's convert it to full path...
$profiledir = get_full_path($profiledir);
unless(-d $profiledir) {
UI_Important("Can't find subdomain profiles in $profiledir.");
exit 1;
unless (-d $profiledir) {
UI_Important("Can't find subdomain profiles in $profiledir.");
exit 1;
}
# read the settings in /etc/logprof.conf
@@ -63,62 +63,63 @@ readconfig();
# what are we profiling?
my @profiling = @ARGV;
unless(@profiling) {
@profiling = ( UI_GetString("Please enter the program to switch to audit mode: ", "") );
unless (@profiling) {
@profiling = (UI_GetString("Please enter the program to switch to audit mode: ", ""));
}
for my $profiling (@profiling) {
next unless $profiling;
next unless $profiling;
my $fqdbin;
if(-e $profiling) {
$fqdbin = get_full_path($profiling);
chomp($fqdbin);
} else {
if($profiling !~ /\//) {
my $which = which($profiling);
if($which) {
$fqdbin = get_full_path($which);
}
}
}
if(-e $fqdbin) {
my $filename;
if($fqdbin =~ /^$profiledir\//) {
$filename = $fqdbin;
my $fqdbin;
if (-e $profiling) {
$fqdbin = get_full_path($profiling);
chomp($fqdbin);
} else {
$filename = getprofilefilename($fqdbin);
if ($profiling !~ /\//) {
my $which = which($profiling);
if ($which) {
$fqdbin = get_full_path($which);
}
}
}
# argh, skip directories
next unless -f $filename;
if (-e $fqdbin) {
# skip rpm backup files
next if $filename =~ /\.rpm(save|new)$/;
my $filename;
if ($fqdbin =~ /^$profiledir\//) {
$filename = $fqdbin;
} else {
$filename = getprofilefilename($fqdbin);
}
printf(gettext('Setting %s to audit mode.'), $fqdbin);
print "\n";
setprofileflags($filename, "audit");
# argh, skip directories
next unless -f $filename;
system("cat $filename | $parser -I$profiledir -r >/dev/null 2>&1") if check_for_subdomain();
} else {
if($profiling =~ /^[^\/]+$/) {
UI_Info(sprintf(gettext('Can\'t find %s in the system path list. If the name of the application is correct, please run \'which %s\' as a user with the correct PATH environment set up in order to find the fully-qualified path.'), $profiling, $profiling));
exit 1;
# skip rpm backup files
next if $filename =~ /\.rpm(save|new)$/;
printf(gettext('Setting %s to audit mode.'), $fqdbin);
print "\n";
setprofileflags($filename, "audit");
system("cat $filename | $parser -I$profiledir -r >/dev/null 2>&1")
if check_for_subdomain();
} else {
UI_Info(sprintf(gettext('%s does not exist, please double-check the path.'). $profiling));
exit 1;
if ($profiling =~ /^[^\/]+$/) {
UI_Info(sprintf(gettext('Can\'t find %s in the system path list. If the name of the application is correct, please run \'which %s\' as a user with the correct PATH environment set up in order to find the fully-qualified path.'), $profiling, $profiling));
exit 1;
} else {
UI_Info(sprintf(gettext('%s does not exist, please double-check the path.') . $profiling));
exit 1;
}
}
}
}
exit 0;
sub usage {
UI_Info(sprintf(gettext("usage: \%s [ -d /path/to/profiles ] [ program to switch to audit mode ]"), $0));
exit 0;
UI_Info(sprintf(gettext("usage: \%s [ -d /path/to/profiles ] [ program to switch to audit mode ]"), $0));
exit 0;
}

96
utils/autodep
View File

@@ -21,7 +21,6 @@
# you may find current contact information at www.novell.com.
# ----------------------------------------------------------------------
use strict;
use FindBin;
use Getopt::Long;
@@ -43,13 +42,13 @@ textdomain("apparmor-utils");
$UI_Mode = "text";
# options variables
my $help = '';
my $force = undef;
my $help = '';
my $force = undef;
GetOptions(
'force' => \$force,
'dir|d=s' => \$profiledir,
'help|h' => \$help,
'force' => \$force,
'dir|d=s' => \$profiledir,
'help|h' => \$help,
);
# tell 'em how to use it...
@@ -60,9 +59,9 @@ my $sd_mountpoint = check_for_subdomain();
# let's convert it to full path...
$profiledir = get_full_path($profiledir);
unless(-d $profiledir) {
UI_Important(sprintf(gettext('Can\'t find subdomain profiles in %s.'), $profiledir));
exit 1;
unless (-d $profiledir) {
UI_Important(sprintf(gettext('Can\'t find subdomain profiles in %s.'), $profiledir));
exit 1;
}
# read the settings in /etc/logprof.conf
@@ -71,59 +70,58 @@ readconfig();
# what are we profiling?
my @profiling = @ARGV;
unless(@profiling) {
@profiling = ( UI_GetString(gettext("Please enter the program to create a profile for: "), "") );
unless (@profiling) {
@profiling = (UI_GetString(gettext("Please enter the program to create a profile for: "), ""));
}
for my $profiling (@profiling) {
next unless $profiling;
next unless $profiling;
my $fqdbin;
if(-e $profiling) {
$fqdbin = get_full_path($profiling);
chomp($fqdbin);
} else {
if($profiling !~ /\//) {
my $which = which($profiling);
if($which) {
$fqdbin = get_full_path($which);
}
}
}
# make sure that the app they're requesting to profile is not marked as
# not allowed to have it's own profile
if($qualifiers{$fqdbin}) {
unless($qualifiers{$fqdbin} =~ /p/) {
UI_Info(sprintf(gettext('%s is currently marked as a program that should not have it\'s own profile. Usually, programs are marked this way if creating a profile for them is likely to break the rest of the system. If you know what you\'re doing and are certain you want to create a profile for this program, edit the corresponding entry in the [qualifiers] section in /etc/apparmor/logprof.conf.'), $fqdbin));
exit 1;
}
}
if(-e $fqdbin) {
if(-e getprofilefilename($fqdbin) && !$force) {
UI_Info(sprintf(gettext('Profile for %s already exists - skipping.'), $fqdbin));
my $fqdbin;
if (-e $profiling) {
$fqdbin = get_full_path($profiling);
chomp($fqdbin);
} else {
autodep($fqdbin);
reload($fqdbin) if $sd_mountpoint;
if ($profiling !~ /\//) {
my $which = which($profiling);
if ($which) {
$fqdbin = get_full_path($which);
}
}
}
} else {
if($profiling =~ /^[^\/]+$/) {
UI_Info(sprintf(gettext('Can\'t find %s in the system path list. If the name of the application is correct, please run \'which %s\' as a user with the correct PATH environment set up in order to find the fully-qualified path.'), $profiling, $profiling));
exit 1;
# make sure that the app they're requesting to profile is not marked as
# not allowed to have it's own profile
if ($qualifiers{$fqdbin}) {
unless ($qualifiers{$fqdbin} =~ /p/) {
UI_Info(sprintf(gettext('%s is currently marked as a program that should not have it\'s own profile. Usually, programs are marked this way if creating a profile for them is likely to break the rest of the system. If you know what you\'re doing and are certain you want to create a profile for this program, edit the corresponding entry in the [qualifiers] section in /etc/apparmor/logprof.conf.'), $fqdbin));
exit 1;
}
}
if (-e $fqdbin) {
if (-e getprofilefilename($fqdbin) && !$force) {
UI_Info(sprintf(gettext('Profile for %s already exists - skipping.'), $fqdbin));
} else {
autodep($fqdbin);
reload($fqdbin) if $sd_mountpoint;
}
} else {
UI_Info(sprintf(gettext('%s does not exist, please double-check the path.'). $profiling));
exit 1;
if ($profiling =~ /^[^\/]+$/) {
UI_Info(sprintf(gettext('Can\'t find %s in the system path list. If the name of the application is correct, please run \'which %s\' as a user with the correct PATH environment set up in order to find the fully-qualified path.'), $profiling, $profiling));
exit 1;
} else {
UI_Info(sprintf(gettext('%s does not exist, please double-check the path.') . $profiling));
exit 1;
}
}
}
}
exit 0;
sub usage {
UI_Info("usage: $0 [ --force ] [ -d /path/to/profiles ]");
exit 0;
UI_Info("usage: $0 [ --force ] [ -d /path/to/profiles ]");
exit 0;
}

91
utils/complain
View File

@@ -39,11 +39,11 @@ textdomain("apparmor-utils");
$UI_Mode = "text";
# options variables
my $help = '';
my $help = '';
GetOptions(
'dir|d=s' => \$profiledir,
'help|h' => \$help,
'dir|d=s' => \$profiledir,
'help|h' => \$help,
);
# tell 'em how to use it...
@@ -52,9 +52,9 @@ GetOptions(
# let's convert it to full path...
$profiledir = get_full_path($profiledir);
unless(-d $profiledir) {
UI_Important("Can't find subdomain profiles in $profiledir.");
exit 1;
unless (-d $profiledir) {
UI_Important("Can't find subdomain profiles in $profiledir.");
exit 1;
}
# read the settings in /etc/logprof.conf
@@ -63,62 +63,63 @@ readconfig();
# what are we profiling?
my @profiling = @ARGV;
unless(@profiling) {
@profiling = ( UI_GetString(gettext("Please enter the program to switch to complain mode: "), "") );
unless (@profiling) {
@profiling = (UI_GetString(gettext("Please enter the program to switch to complain mode: "), ""));
}
for my $profiling (@profiling) {
next unless $profiling;
next unless $profiling;
my $fqdbin;
if(-e $profiling) {
$fqdbin = get_full_path($profiling);
chomp($fqdbin);
} else {
if($profiling !~ /\//) {
my $which = which($profiling);
if($which) {
$fqdbin = get_full_path($which);
}
}
}
if(-e $fqdbin) {
my $filename;
if($fqdbin =~ /^$profiledir\//) {
$filename = $fqdbin;
my $fqdbin;
if (-e $profiling) {
$fqdbin = get_full_path($profiling);
chomp($fqdbin);
} else {
$filename = getprofilefilename($fqdbin);
if ($profiling !~ /\//) {
my $which = which($profiling);
if ($which) {
$fqdbin = get_full_path($which);
}
}
}
# argh, skip directories
next unless -f $filename;
if (-e $fqdbin) {
# skip rpm backup files
next if $filename =~ /\.rpm(save|new)$/;
my $filename;
if ($fqdbin =~ /^$profiledir\//) {
$filename = $fqdbin;
} else {
$filename = getprofilefilename($fqdbin);
}
printf(gettext('Setting %s to complain mode.'), $fqdbin);
print "\n";
setprofileflags($filename, "complain");
# argh, skip directories
next unless -f $filename;
system("cat $filename | $parser -I$profiledir -r >/dev/null 2>&1") if check_for_subdomain();
} else {
if($profiling =~ /^[^\/]+$/) {
UI_Info(sprintf(gettext('Can\'t find %s in the system path list. If the name of the application is correct, please run \'which %s\' as a user with the correct PATH environment set up in order to find the fully-qualified path.'), $profiling, $profiling));
exit 1;
# skip rpm backup files
next if $filename =~ /\.rpm(save|new)$/;
printf(gettext('Setting %s to complain mode.'), $fqdbin);
print "\n";
setprofileflags($filename, "complain");
system("cat $filename | $parser -I$profiledir -r >/dev/null 2>&1")
if check_for_subdomain();
} else {
UI_Info(sprintf(gettext('%s does not exist, please double-check the path.'), $profiling));
exit 1;
if ($profiling =~ /^[^\/]+$/) {
UI_Info(sprintf(gettext('Can\'t find %s in the system path list. If the name of the application is correct, please run \'which %s\' as a user with the correct PATH environment set up in order to find the fully-qualified path.'), $profiling, $profiling));
exit 1;
} else {
UI_Info(sprintf(gettext('%s does not exist, please double-check the path.'), $profiling));
exit 1;
}
}
}
}
exit 0;
sub usage {
UI_Info(sprintf(gettext("usage: \%s [ -d /path/to/profiles ] [ program to switch to complain mode ]"), $0));
exit 0;
UI_Info(sprintf(gettext("usage: \%s [ -d /path/to/profiles ] [ program to switch to complain mode ]"), $0));
exit 0;
}

89
utils/enforce
View File

@@ -39,11 +39,11 @@ textdomain("apparmor-utils");
$UI_Mode = "text";
# options variables
my $help = '';
my $help = '';
GetOptions(
'dir|d=s' => \$profiledir,
'help|h' => \$help,
'dir|d=s' => \$profiledir,
'help|h' => \$help,
);
# tell 'em how to use it...
@@ -52,9 +52,9 @@ GetOptions(
# let's convert it to full path...
$profiledir = get_full_path($profiledir);
unless(-d $profiledir) {
UI_Important("Can't find subdomain profiles in $profiledir.");
exit 1;
unless (-d $profiledir) {
UI_Important("Can't find subdomain profiles in $profiledir.");
exit 1;
}
# read the settings in /etc/logprof.conf
@@ -63,61 +63,62 @@ readconfig();
# what are we profiling?
my @profiling = @ARGV;
unless(@profiling) {
@profiling = ( UI_GetString(gettext("Please enter the program to switch to enforce mode: "), "") );
unless (@profiling) {
@profiling = (UI_GetString(gettext("Please enter the program to switch to enforce mode: "), ""));
}
for my $profiling (@profiling) {
next unless $profiling;
next unless $profiling;
my $fqdbin;
if(-e $profiling) {
$fqdbin = get_full_path($profiling);
chomp($fqdbin);
} else {
if($profiling !~ /\//) {
my $which = which($profiling);
if($which) {
$fqdbin = get_full_path($which);
}
}
}
if(-e $fqdbin) {
my $filename;
if($fqdbin =~ /^$profiledir\//) {
$filename = $fqdbin;
my $fqdbin;
if (-e $profiling) {
$fqdbin = get_full_path($profiling);
chomp($fqdbin);
} else {
$filename = getprofilefilename($fqdbin);
if ($profiling !~ /\//) {
my $which = which($profiling);
if ($which) {
$fqdbin = get_full_path($which);
}
}
}
# argh, skip directories
next unless -f $filename;
if (-e $fqdbin) {
my $filename;
if ($fqdbin =~ /^$profiledir\//) {
$filename = $fqdbin;
} else {
$filename = getprofilefilename($fqdbin);
}
# skip rpm backup files
next if $filename =~ /\.rpm(save|new)$/;
# argh, skip directories
next unless -f $filename;
printf(gettext('Setting %s to enforce mode.'), $fqdbin);
print "\n";
setprofileflags($filename, "");
# skip rpm backup files
next if $filename =~ /\.rpm(save|new)$/;
system("cat $filename | $parser -I$profiledir -r >/dev/null 2>&1") if check_for_subdomain();
} else {
if($profiling =~ /^[^\/]+$/) {
UI_Info(sprintf(gettext('Can\'t find %s in the system path list. If the name of the application is correct, please run \'which %s\' as a user with the correct PATH environment set up in order to find the fully-qualified path.'), $profiling, $profiling));
exit 1;
printf(gettext('Setting %s to enforce mode.'), $fqdbin);
print "\n";
setprofileflags($filename, "");
system("cat $filename | $parser -I$profiledir -r >/dev/null 2>&1")
if check_for_subdomain();
} else {
UI_Info(sprintf(gettext('%s does not exist, please double-check the path.'). $profiling));
exit 1;
if ($profiling =~ /^[^\/]+$/) {
UI_Info(sprintf(gettext('Can\'t find %s in the system path list. If the name of the application is correct, please run \'which %s\' as a user with the correct PATH environment set up in order to find the fully-qualified path.'), $profiling, $profiling));
exit 1;
} else {
UI_Info(sprintf(gettext('%s does not exist, please double-check the path.') . $profiling));
exit 1;
}
}
}
}
exit 0;
sub usage {
UI_Info(sprintf(gettext("usage: \%s [ -d /path/to/profiles ] [ program to switch to enforce mode ]"), $0));
exit 0;
UI_Info(sprintf(gettext("usage: \%s [ -d /path/to/profiles ] [ program to switch to enforce mode ]"), $0));
exit 0;
}

147
utils/genprof
View File

@@ -39,55 +39,56 @@ setlocale(LC_MESSAGES, "");
textdomain("apparmor-utils");
# options variables
my $help = '';
my $help = '';
GetOptions(
'file|f=s' => \$filename,
'dir|d=s' => \$profiledir,
'help|h' => \$help,
'file|f=s' => \$filename,
'dir|d=s' => \$profiledir,
'help|h' => \$help,
);
# tell 'em how to use it...
&usage && exit if $help;
my $sd_mountpoint = check_for_subdomain();
unless($sd_mountpoint) {
fatal_error(gettext("SubDomain does not appear to be started. Please enable SubDomain and try again."));
unless ($sd_mountpoint) {
fatal_error(gettext("SubDomain does not appear to be started. Please enable SubDomain and try again."));
}
# let's convert it to full path...
$profiledir = get_full_path($profiledir);
unless(-d $profiledir) {
fatal_error "Can't find subdomain profiles in $profiledir.";
unless (-d $profiledir) {
fatal_error "Can't find subdomain profiles in $profiledir.";
}
# what are we profiling?
my $profiling = shift;
unless($profiling) {
$profiling = UI_GetString(gettext("Please enter the program to profile: "), "") || exit 0;
unless ($profiling) {
$profiling = UI_GetString(gettext("Please enter the program to profile: "), "")
|| exit 0;
}
my $fqdbin;
if(-e $profiling) {
$fqdbin = get_full_path($profiling);
chomp($fqdbin);
if (-e $profiling) {
$fqdbin = get_full_path($profiling);
chomp($fqdbin);
} else {
if($profiling !~ /\//) {
my $which = which($profiling);
if($which) {
$fqdbin = get_full_path($which);
if ($profiling !~ /\//) {
my $which = which($profiling);
if ($which) {
$fqdbin = get_full_path($which);
}
}
}
}
unless($fqdbin && -e $fqdbin) {
if($profiling =~ /^[^\/]+$/) {
fatal_error(sprintf(gettext('Can\'t find %s in the system path list. If the name of the application is correct, please run \'which %s\' in the other window in order to find the fully-qualified path.'), $profiling, $profiling));
} else {
fatal_error(sprintf(gettext('%s does not exist, please double-check the path.'), $profiling));
}
unless ($fqdbin && -e $fqdbin) {
if ($profiling =~ /^[^\/]+$/) {
fatal_error(sprintf(gettext('Can\'t find %s in the system path list. If the name of the application is correct, please run \'which %s\' in the other window in order to find the fully-qualified path.'), $profiling, $profiling));
} else {
fatal_error(sprintf(gettext('%s does not exist, please double-check the path.'), $profiling));
}
}
# read the settings in /etc/logprof.conf
@@ -95,73 +96,72 @@ readconfig();
# make sure that the app they're requesting to profile is not marked as
# not allowed to have it's own profile
if($qualifiers{$fqdbin}) {
unless($qualifiers{$fqdbin} =~ /p/) {
fatal_error(sprintf(gettext("\%s is currently marked as a program that should not have it's own profile. Usually, programs are marked this way if creating a profile for them is likely to break the rest of the system. If you know what you're doing and are certain you want to create a profile for this program, edit the corresponding entry in the [qualifiers] section in /etc/apparmor/logprof.conf."), $fqdbin));
}
if ($qualifiers{$fqdbin}) {
unless ($qualifiers{$fqdbin} =~ /p/) {
fatal_error(sprintf(gettext("\%s is currently marked as a program that should not have it's own profile. Usually, programs are marked this way if creating a profile for them is likely to break the rest of the system. If you know what you're doing and are certain you want to create a profile for this program, edit the corresponding entry in the [qualifiers] section in /etc/apparmor/logprof.conf."), $fqdbin));
}
}
# load all the include files
loadincludes();
my $profilefilename = getprofilefilename($fqdbin);
if(-e $profilefilename) {
$helpers{$fqdbin} = getprofileflags($profilefilename) || "enforce";
if (-e $profilefilename) {
$helpers{$fqdbin} = getprofileflags($profilefilename) || "enforce";
} else {
autodep($fqdbin);
$helpers{$fqdbin} = "enforce";
autodep($fqdbin);
$helpers{$fqdbin} = "enforce";
}
if($helpers{$fqdbin} eq "enforce") {
complain($fqdbin);
reload($fqdbin);
if ($helpers{$fqdbin} eq "enforce") {
complain($fqdbin);
reload($fqdbin);
}
UI_Important(gettext("Please start the application to be profiled in \nanother window and exercise its functionality now.\n\nOnce completed, select the \"Scan\" button below in \norder to scan the system logs for AppArmor events. \n\nFor each AppArmor event, you will be given the \nopportunity to choose whether the access should be \nallowed or denied."));
my $syslog = 1;
my $logmark = "";
my $syslog = 1;
my $logmark = "";
my $done_profiling = 0;
$syslog = 0 if ( -e "/var/log/audit/audit.log" );
$syslog = 0 if (-e "/var/log/audit/audit.log");
while(not $done_profiling) {
if ( $syslog ) {
$logmark = `date | md5sum`;
chomp $logmark;
$logmark = $1 if $logmark =~ /^([0-9a-f]+)/;
system("/bin/logger -p kern.warn 'GenProf: $logmark'");
} else {
$logmark = last_audit_entry_time();
}
while (not $done_profiling) {
if ($syslog) {
$logmark = `date | md5sum`;
chomp $logmark;
$logmark = $1 if $logmark =~ /^([0-9a-f]+)/;
system("/bin/logger -p kern.warn 'GenProf: $logmark'");
} else {
$logmark = last_audit_entry_time();
}
my $q = { };
$q->{headers} = [ gettext("Profiling"), $fqdbin ];
$q->{functions} = [ "CMD_SCAN", "CMD_FINISHED" ];
$q->{default} = "CMD_SCAN";
my $q = {};
$q->{headers} = [ gettext("Profiling"), $fqdbin ];
$q->{functions} = [ "CMD_SCAN", "CMD_FINISHED" ];
$q->{default} = "CMD_SCAN";
my ($ans, $arg) = UI_PromptUser($q);
my ($ans, $arg) = UI_PromptUser($q);
if($ans eq "CMD_SCAN") {
if ($ans eq "CMD_SCAN") {
my $lp_ret = do_logprof_pass($logmark);
my $lp_ret = do_logprof_pass($logmark);
$done_profiling = 1 if $lp_ret eq "FINISHED";
$done_profiling = 1 if $lp_ret eq "FINISHED";
} else {
} else {
$done_profiling = 1;
$done_profiling = 1;
}
}
}
for my $p (sort keys %helpers) {
if($helpers{$p} eq "enforce") {
enforce($p);
reload($p);
}
if ($helpers{$p} eq "enforce") {
enforce($p);
reload($p);
}
}
UI_Info(gettext("Reloaded SubDomain profiles in enforce mode."));
@@ -169,18 +169,17 @@ UI_Info(sprintf(gettext('Finished generating profile for %s.'), $fqdbin));
exit 0;
sub usage {
UI_Info(sprintf(gettext("usage: \%s [ -d /path/to/profiles ] [ -f /path/to/logfile ] [ program to profile ]"), $0));
exit 0;
UI_Info(sprintf(gettext("usage: \%s [ -d /path/to/profiles ] [ -f /path/to/logfile ] [ program to profile ]"), $0));
exit 0;
}
sub last_audit_entry_time {
local $_ = `tail -1 /var/log/audit/audit.log`;
my $logmark;
if ( /^*msg\=audit\((\d+\.\d+\:\d+).*\).*$/ ) {
$logmark = $1;
} else {
$logmark = "";
}
return $logmark;
local $_ = `tail -1 /var/log/audit/audit.log`;
my $logmark;
if (/^*msg\=audit\((\d+\.\d+\:\d+).*\).*$/) {
$logmark = $1;
} else {
$logmark = "";
}
return $logmark;
}

18
utils/logprof
View File

@@ -39,14 +39,14 @@ textdomain("apparmor-utils");
setup_yast();
# options variables
my $help = '';
my $help = '';
my $logmark;
GetOptions(
'file|f=s' => \$filename,
'dir|d=s' => \$profiledir,
'logmark|m=s' => \$logmark,
'help|h' => \$help,
'file|f=s' => \$filename,
'dir|d=s' => \$profiledir,
'logmark|m=s' => \$logmark,
'help|h' => \$help,
);
# tell 'em how to use it...
@@ -55,8 +55,8 @@ GetOptions(
# let's convert it to full path...
$profiledir = get_full_path($profiledir);
unless(-d $profiledir) {
fatal_error "Can't find subdomain profiles in $profiledir.";
unless (-d $profiledir) {
fatal_error "Can't find subdomain profiles in $profiledir.";
}
# read the settings in /etc/logprof.conf
@@ -72,7 +72,7 @@ shutdown_yast();
exit 0;
sub usage {
UI_Info(sprintf(gettext("usage: \%s [ -d /path/to/profiles ] [ -f /path/to/logfile ] [ -m \"mark in log to start processing after\""), $0));
exit 0;
UI_Info(sprintf(gettext("usage: \%s [ -d /path/to/profiles ] [ -f /path/to/logfile ] [ -m \"mark in log to start processing after\""), $0));
exit 0;
}

93
utils/unconfined
View File

@@ -34,74 +34,77 @@ use POSIX;
setlocale(LC_MESSAGES, "");
textdomain("apparmor-utils");
# options variables
my $paranoid = '';
my $help = '';
GetOptions(
'paranoid' => \$paranoid,
'help|h' => \$help,
'paranoid' => \$paranoid,
'help|h' => \$help,
);
# tell 'em how to use it...
&usage && exit if $help;
sub usage {
printf (gettext("Usage: %s [ --paranoid ]\n"), $0);
exit 0;
printf(gettext("Usage: %s [ --paranoid ]\n"), $0);
exit 0;
}
my $subdomainfs = check_for_subdomain();
die gettext("SubDomain does not appear to be started. Please enable SubDomain and try again.")."\n" unless $subdomainfs;
die gettext("SubDomain does not appear to be started. Please enable SubDomain and try again.") . "\n"
unless $subdomainfs;
my @pids;
if($paranoid) {
opendir(PROC, "/proc") or die gettext("Can't read /proc\n");
@pids = grep { /^\d+$/ } readdir(PROC);
closedir(PROC);
if ($paranoid) {
opendir(PROC, "/proc") or die gettext("Can't read /proc\n");
@pids = grep { /^\d+$/ } readdir(PROC);
closedir(PROC);
} else {
if(open(NETSTAT, "/bin/netstat -nlp |")) {
while(<NETSTAT>) {
chomp;
push @pids, $5 if /^(tcp|udp)\s+\d+\s+\d+\s+\S+\:(\d+)\s+\S+\:(\*|\d+)\s+(LISTEN|\s+)\s+(\d+)\/(\S+)/;
if (open(NETSTAT, "/bin/netstat -nlp |")) {
while (<NETSTAT>) {
chomp;
push @pids, $5
if /^(tcp|udp)\s+\d+\s+\d+\s+\S+\:(\d+)\s+\S+\:(\*|\d+)\s+(LISTEN|\s+)\s+(\d+)\/(\S+)/;
}
close(NETSTAT);
}
close(NETSTAT);
}
}
for my $pid (sort { $a <=> $b } @pids) {
my $prog = readlink "/proc/$pid/exe" or next;
my $attr;
if(open(CURRENT, "/proc/$pid/attr/current")) {
while(<CURRENT>) {
chomp;
$attr = $_ if(/^\// || /^null/);
my $prog = readlink "/proc/$pid/exe" or next;
my $attr;
if (open(CURRENT, "/proc/$pid/attr/current")) {
while (<CURRENT>) {
chomp;
$attr = $_ if (/^\// || /^null/);
}
close(CURRENT);
}
close(CURRENT);
}
if(not $attr) {
if($prog =~ m/^(\/usr\/bin\/python|\/usr\/bin\/perl|\/bin\/bash)$/) {
#my $scriptname = (split(/\0/, `cat /proc/$pid/cmdline`))[1];
my $cmdline = `cat /proc/$pid/cmdline`;
$cmdline =~ s/\0/ /g;
$cmdline =~ s/\s+$//;
chomp $cmdline;
print "$pid $prog ($cmdline) " . gettext("not confined\n");
if (not $attr) {
if ($prog =~ m/^(\/usr\/bin\/python|\/usr\/bin\/perl|\/bin\/bash)$/) {
#my $scriptname = (split(/\0/, `cat /proc/$pid/cmdline`))[1];
my $cmdline = `cat /proc/$pid/cmdline`;
$cmdline =~ s/\0/ /g;
$cmdline =~ s/\s+$//;
chomp $cmdline;
print "$pid $prog ($cmdline) " . gettext("not confined\n");
} else {
print "$pid $prog " . gettext("not confined\n");
}
} else {
print "$pid $prog " . gettext("not confined\n");
if ($prog =~ m/^(\/usr\/bin\/python|\/usr\/bin\/perl|\/bin\/bash)$/) {
#my $scriptname = (split(/\0/, `cat /proc/$pid/cmdline`))[1];
my $cmdline = `cat /proc/$pid/cmdline`;
$cmdline =~ s/\0/ /g;
$cmdline =~ s/\s+$//;
chomp $cmdline;
print "$pid $prog ($cmdline) " . gettext("confined by") . " '$attr'\n";
} else {
print "$pid $prog " . gettext("confined by") . " '$attr'\n";
}
}
} else {
if($prog =~ m/^(\/usr\/bin\/python|\/usr\/bin\/perl|\/bin\/bash)$/) {
#my $scriptname = (split(/\0/, `cat /proc/$pid/cmdline`))[1];
my $cmdline = `cat /proc/$pid/cmdline`;
$cmdline =~ s/\0/ /g;
$cmdline =~ s/\s+$//;
chomp $cmdline;
print "$pid $prog ($cmdline) " . gettext("confined by") . " '$attr'\n";
} else {
print "$pid $prog " . gettext("confined by") . " '$attr'\n";
}
}
}